[LINK] The "health" record security model

[David]

ABC Radio National had some interesting programs this (Sunday) morning.

Round Table - https://www.abc.net.au/radionational/programs/the-roundtable/my-health-record-privacy-data/10474670 - discussed My Health Record.  Two apologists for it had nothing very interesting to say, and much of it would have to be described as naieve.  But the third panelist was Professor David Vaile, Executive Director of the Cyberspace Law and Policy Centre at UNSW.

He revealed that medical information (other than a summary of any allergies?) isn't held in a structured database but is a collection of PDF documents!  Can you imagine a patient lying unconscious in ED while a doctor makes a cup of coffee and settles down to plow through them?

One apologist emphasised how there were legislated penalties for unauthorised access, and penalties seem to be the main security mechanism.  But Prof. Vaille described MHRecord as having an appallingly bad IT security model, rather like leaving the bank unlocked because there were penalties for theft.  By default, access is allowed and there are no account PINs.  Furthermore, individual use is _not_ logged, only the organisation responsible, and it may even be the case that those individuals are not even mentioned in the legislation. 

(Roger, is that true?  How can they be penalised in that case?)

Access by organisations including the ATO, Centrelink, the police, etc.  wasn't mentioned.

The Coalition has tried to abolish & defund the Office of the Privacy Commissioner, and now the MHRecord director of privacy has resigned - see https://www.smh.com.au/technology/my-health-record-s-privacy-chief-quits-amid-claims-agency-not-listening-20181107-p50elu.html

People have until next Thursday (or will it be Wednesday?) to opt out.

David L.